MAG254 Notes

The MAG 254 has two flash chips, one NAND and one NOR (SPI). The firmware is held on the NOR chip (which looks like it can be removed and reprogrammed easily enough, but I think the SoC might have some kind of signature verification baked in, so backup essential, and directly from the chip, not via the MTD device).

The layout reported by the kernel log looks like this for the NOR chip: –

The Bootloader partition is where the factory firmware is located. There’s an ELF binary (0x500 bytes long) and a ZLib section immediately after this (or perhaps it’s embedded in the ELF). Deflated, the ZLib section contains text strings suggesting it is U-Boot, but also has strings that relate to the BIOS menu.

This is what I think the boot/check sequence looks like: –

Boot BIOS (blue/white menu). Loads Bootloader from NAND, or from USB etc. Checks the loaded image and transfers control if the signature passes. The private key is initially the default publicly available key pair (stb_secbin.key & stb_pubbin.key).

The Bootloader launches into the update process, and looks for the mag254/imageupdate file. The bootloader checks this file’s signature according to

Primary bootloader is possibly from the NOR flash chip, which provides U-Boot to the SoC. This in turn finds a uImage to boot, from the NAND, TFTP, USB, etc. It’s hard to know

From rebootmng.sh, the following actions are inhibited by the script. This looks kind of like U-Boot being configured to boot the file ‘mag254/Bootstrap’ (which is indeed a uImage containing a Linux Kernel) directly from the USB.